Summary

A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.

Details

At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:

    if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') {
      return 0;
    }

However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode

So, for example, sending the following query

query hello {
  books {
    title
  }
}

would create an OperationDefinitionNode with node.name.value == 'hello'

The proper way to handle this would be to check for the __schema field, which would create a FieldNode.

The fix is

    if (
      this.config.ignoreIntrospection &&
      'name' in node &&
      node.name?.value === '__schema' &&
      node.kind === Kind.FIELD
    ) {
      return 0;
    }

to assert that the node must be a FieldNode

PoC

query  {
  ...__schema
}

fragment __schema on Query {
  books {
    title
    author
  }
}

query __schema {
  books {
    title
    author
  }
}

Impact

Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.

Fix:

Fixed on 772. A quick patch would be to set ignoreIntrospection to false.

• https://github.com/Escape-Technologies/graphql-armor/security/advisories/GHSA-733v-p3h5-qpq7
• https://github.com/Escape-Technologies/graphql-armor/pull/772
• https://github.com/Escape-Technologies/graphql-armor/commit/5a329541cf32a359ee1f69748738f91231b26eba
• https://github.com/advisories/GHSA-733v-p3h5-qpq7